BKDR_SDBOT.A PLEASE HELP ME!!!!

[Wullie]

Hi,

I have been having problems with my machine since I formatted it about a week ago and now my scanner has alerted me of the following virus..

BKDR_SDBOT.A

The only other details I get are that the username is default..

The problem is that the infected file is Rundll32.exe and windows will not let me delete or modify it, my scanner cannot even quarantine it..

I have blocked all access with my firewall but unfortunatly the file has already accessed the net on several occasions..

How do I clean this file without damaging my system?

Please help me, I'm desperate..

Thanks in advance, Wullie

http://www.freshlookdesign.co.uk

http://www.searchit-now.co.uk

http://www.survivorhelp.co.uk

 

[Kento]

I don't recognize that virus. What antivirus program and what operating system are you using?

If you have windows 95, 98, or ME download Startlog.com from the link and run it. It'll create 2 text files on your desktop. Copy and paste the contents of Startlog (not Stubpaths) to your reply here so we can have a look.

http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html

If you have 98 you can use system file checker to extract a clean rundll32.exe into the windows folder. (The extract function in ME is in msconfig...click start--run--msconfig) This site uses pics to explain how to use sfc:

http://users.erols.com/dj-paulen/ss/

If you have no windows cd to extract from then place c:\windows\options\cabs in the 'restore from' box in sfc and it'll search for the file in your cab files assuming they're on the drive and in that location.

 

[Wullie]

Hi mate,

Trend PC-cillin and windows ME..

I scanned the machine in safe mode and it quaratined the file..

This is the result of startlog..





---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 06/04/2002 3:21:27.78
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.56) - Release Date 3/11/2002

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"PCCIOMON.EXE"="\"C:\\Program Files\\Trend PC-cillin 7.5\\PCCIOMON.EXE\""
"pop3trap.exe"="\"C:\\Program Files\\Trend PC-cillin 7.5\\pop3trap.exe\""
"WebTrap.exe"="\"C:\\Program Files\\Trend PC-cillin 7.5\\WebTrap.exe\""


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\PROGRAM FILES\\MESSENGER\\MSMSGS.EXE\" /background"
"Livehelper"="C:\\Program Files\\Livehelper.com LLC\\Livehelper Operator Services\\operator.exe /s"


==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"TrueVector"="C:\\WINDOWS\\SYSTEM\\ZONELABS\\VSMON.EXE -service"
"PCCIOMON.EXE"="\"C:\\Program Files\\Trend PC-cillin 7.5\\PCCIOMON.EXE\""
"Win32 Rundll Loader"="Rundll32.exe"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP
SET PATH=C:\usr\bin\;C:\usr\bin\Perl\bin\;C:\WINDOWS;C:\WINDOWS\COMMAND

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder

C:\WINDOWS\All Users\Start Menu\Programs\StartUp\ZoneAlarm Pro.lnk

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\PROGRAM FILES\\MESSENGER\\MSMSGS.EXE\" /background"
"Livehelper"="C:\\Program Files\\Livehelper.com LLC\\Livehelper Operator Services\\operator.exe /s"


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]


-================================-
StubPaths - Registry (Partial Listing)
-================================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"=""
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
"OldStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
"RealStubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:IE50 /user /install"
"StubPath"="C:\\WINDOWS\\SYSTEM\\updcrl.exe -e -u C:\\WINDOWS\\SYSTEM\\verisignpub1.crl"
"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

@echo off

REM Notes:
REM DOSSTART.BAT is run whenenver you choose "Restart the computer
REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
REM you to load programs that you might not want loaded in Windows,
REM (because they have functional equivalents) but that you do
REM want loaded under MS-DOS. The two primary candidates for
REM this are MSCDEX and a real mode driver for the mouse you ship
REM with your system. Commands that you want present in both Windows
REM and MS-DOS should be placed in the Autoexec.bat in the
REM \Image directory of your reference server. Please note that for
REM MSCDEX you will need to load the corresponding real-mode CD
REM driver in Config.sys. This driver won't be used by Windows 98
REM but will be available prior to and after Windows 98 exits.
REM
REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
REM before Windows loads and access the CD-ROM. All you have to do
REM is press F8 and then run DOSSTART to load MSCDEX and your real
REM mode mouse driver (no need to remember the command line parameters
REM for these two files.
REM
REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
REM - The string following the /D: statement must explicitly match
REM the string in CONFIG.SYS following your CD-ROM device driver.

REM MSCDEX.EXE /D:OEMCD001 /l:d
REM MOUSE.EXE



-=================-
WININIT.BAK File - (c:\windows\wininit.bak)
(name) (type) (size)(modified)(time)
wininit bak 270 05/04/02 16:56
-=================-

[rename]
C:\PROGRA~1\TRENDP~1.5\TMUPDITO.EXE=C:\PROGRA~1\TRENDP~1.5\TEMP\TMUPDITO.EXE
C:\PROGRA~1\TRENDP~1.5\WEBTRAP.EXE=C:\PROGRA~1\TRENDP~1.5\TEMP\WEBTRAP.EXE
C:\PROGRA~1\TRENDP~1.5\WTRES.DLL=C:\PROGRA~1\TRENDP~1.5\TEMP\WTRES.DLL
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp
-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-


==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

COMSPEC=C:\WINDOWS\COMMAND.COM
TEMP=C:\WINDOWS\TEMP
TMP=C:\WINDOWS\TEMP
PATH=C:\usr\bin\;C:\usr\bin\Perl\bin\;C:\WINDOWS;C:\WINDOWS\COMMAND
winbootdir=C:\WINDOWS
windir=C:\WINDOWS

File - c:\windows\Wininit.bak
File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -

Thanks again mate,

Wullie

http://www.freshlookdesign.co.uk

http://www.searchit-now.co.uk

http://www.survivorhelp.co.uk

 

[Wullie]

Hi mate,

This gets better and better!!

Trend lets you submit a virus to the "Virus doctors" as they call it.. Yet, when I tried to submit it I got a virus alert from their smtp server saying that the attachment had been intercepted and deleted!! LOL

You think that they would disable the virus scanner for that mail box... Wullie

http://www.freshlookdesign.co.uk

http://www.searchit-now.co.uk

http://www.survivorhelp.co.uk

 

[Kento]

Ok this line refers to the trojan:

"Win32 Rundll Loader"="Rundll32.exe"

Look for it in msconfig and uncheck it if it's there or you may get a startup error. The trojan is no longer active since you were able to quarantine it.

It's interesting how Pc-cillin detects that trojan yet their website has no info about it and neither does anyone else. I wonder if it really is a trojan because rundll32.exe is a windows file. Do you have a rundll32.exe file in the windows folder now? If not you'll need to extract a new one. It's in the Win_17.cab file on the ME cd.

I'm curious, what files does Pc-cillin have in quarantine? Is it just rundll32.exe?

Why they rejected your submission I don't know. Maybe they have it set to reject files containing viruses they already know about but that's only a guess. Maybe you should email them and ask about that.

 

[Kento]

I just noticed something in your Starlog that i'm not sure about. I'm going to email the maker of Startlog and ask him about it. I'll let you know if it's anything to be concerned about.

 

[Wullie]

Hi mate,

Bad Bad news!!

I left the scanner on overnight just to check for anything else and it has reported another 23 virus!!

But, I am not sure about the files it is reporting..

21 of them are in the restore folder used for system restore and are rundll32.exe..

The other two are:

Six buttons from hell.izs ??? In Eversoft 1st page folder..
tle20813397.exe In windows\temp

The 1st page one is really confusing me as this was in the actual buttons folder...

I also wondered why they did not have anything on their website about it.. I am going to email them..

I just don't understand why the virus scanner didn.t find these files before..

BTW. What was the other thing that you noticed??

There are quite a few things that are running on the machine including perl for testing purposes..

Thanks a lot for the help.. I appreciate it, Wullie

http://www.freshlookdesign.co.uk

http://www.searchit-now.co.uk

http://www.survivorhelp.co.uk

 

[Wullie]

Sorry, I made a mistake in my last post..

Should have said,

21 of them are in the restore folder used for system restore and are BKDR_SDBOT.A

Wullie

http://www.freshlookdesign.co.uk

http://www.searchit-now.co.uk

http://www.survivorhelp.co.uk

 

[paulwood]

Hi Wullie

SDBOT is a trojan that connects via IRC chat, the BKDR just signifies that it's a trojan (Backdoor) and the .A is the variant. It doesn't seem too well documented as far as I can find, just this link

http://vil.mcafee.com/dispVirus.asp?virus_k=99410

Hope it helps

 

[paulwood]

Hmm, on second thoughts that link to McAfee may not be all that helpful as it is looks like you may have a different version that may not connect over IRC. It may be worth looking at

http://www.anti-trojan.org/

where there are a bunch of trojan cleaners and a whole heap of info.

 

[Wullie]

Hi mate,

Thanks but I have managed to clean the machine now..

I had to boot in safe mode, then delete the restore folder.

The thing that gets me is that somehow, this virus was being called when I clicked on a mailto link but only if it was hotmail that was set as the default mail program.. Hotmail would not launch (As I mentioned in the IE forum) but instead rundll32.exe would try to connect.

I also really want to know how the virus scanner did not alert me for 2 weeks.. I must have been infected that long as that is how long I have had the mailto problem.. As soon as the machine was cleaned, mailto links worked..

Thanks again, both of you.. Wullie

http://www.freshlookdesign.co.uk

http://www.searchit-now.co.uk

http://www.survivorhelp.co.uk

 

[c0i0nes]

Here's a tip on sending infected files through an e-mail system. Use Winzip, or your favourite file zipper, and password protect the file with a suitable password like "infected", then attach it to the e-mail with the subject: infected file, password = infected
Thus any of the email systems which may try to clean emails will not destroy the file, since they will find it password protected, if they try to look inside the compressed file.

 

[Wullie]

Hi mate,


I am aware that you could do this but that wouldn't help me mate, it is a button on the actual program that sends the file. When the file is quarantined, you are able to submit the file to them by clicking this button.

I cannot see why they do not disable the virus scanner for that particular account.. It would be so easy to do..

Thanks anyway mate, Wullie

http://www.freshlookdesign.co.uk

http://www.searchit-now.co.uk

http://www.survivorhelp.co.uk

 

[Panos4]

Try to repleace this file with an other from the same operativ system as yours. I hade recently the samme problem in win98 caused dy Nimba virus, and i repleased this file from a simular computer with win98, and no more problems...

Good luck

 

[paulwood]

If you have Win98 and the computer is still booting it isn't necessary to find another computer to replace a system file. Run SFC (System File Checker) from the Run box on the Start menu, and specify which file you want to replace and where your CAB files are, and it will replace a damaged or deleted file.

 

[Hoefie]

Thanks for the info guys. The day before yesterday my scanner reported the same trojan.... And yesterday, 36 times in the recovery files.
Did try to clean but not finished yet. Ironically it was first detected in a Zone alarm executable. Think in my case it causes frozen screens sometimes when I am surfing the internet. A reboot is the only remedy. Using XP and pc-cillin I had the same doubts about the scanner detecting the trojan, but not describing the virus details....

 

[FatesWebb]

IRC-Sdbot Corporate User : Low
Home User : Low

Trojan Information
Discovery Date: 02/07/2002
Origin: Russia?
Length: varies
Type: Trojan
SubType: Win32
Minimum DAT:
Release Date: 4186
02/13/2002
Minimum Engine: 4.1.50
Description Added: 03/20/2002
Description Modified: 03/20/2002 4:48 PM (PT)

Trojan Characteristics:
There are several variants of this trojan so this description is only a guide.
When run, it copies itself to "%windir%\system\cnfgld32.exe", where %windir% is the directory Windows is installed in. It adds the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Configuration Loader="cnfgld32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices\Configuration Loader="cnfgld32.exe"
It connects to an IRC channel and accepts commands from there. The commands are related to performing denial of service attacks and downloading and running files on the victim's computer.

This was first added in the 4186 DATs, but newer variants require the daily DATs. See the removal instrustions for more information on the daily DATs.

Symptoms
Registry key or file mentioned above.

Method Of Infection
Running the trojan installs it on the computer.

Removal Instructions
Detection is included in our DAILY DAT (beta) files and will also be included in the next weekly DAT release. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.


Disabling System Restore

Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder.

WindowsME


1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the Performance tab.
3. Click on the File System button.
4. Click on the Troubleshooting tab.
5. Put a check mark next to 'Disable System Restore'.
6. Click the 'OK' button.
7. You will be prompted to restart the computer. Click Yes.

Note: To re-enable the Restore Utility, follow steps one to seven and on step five remove the check mark next to 'Disable System Restore'.

WindowsXP

Disabling the System Restore Utility (Windows XP Users)

1. Right click the My Computer icon on the Desktop and click on Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.
4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.

Note: To re-enable the Restore Utility, follow steps one to five and on step three remove the check mark next to 'Turn off System Restore on All Drives'.


FatesWebb

if you do what I suggested it is not my fault...

 

[Guest_imported]

Just thought you guys might find this useful.

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.html

I got lucky - trend intercepted on boootup - I shut down, rebooted in DOS, removed and replaced from another computer.

It hadn't set up the cnfg*.* file.

 

[Andy12345]

Hi

i have the same virus on my pc that was detected by pc cillin. I use windows ME. Is it safe to just delete the restore folder without messing up my pc?

Thanks a lot guys

Andy

 

[Andy12345]

Hi

i have the same virus on my pc that was detected by pc cillin. I use windows ME. Is it safe to just delete the restore folder without messing up my pc?

Thanks a lot guys

Andy